Eheka Pytyvõha

Emboyke pytyvõha apovai. Ndorojeruremo’ãi ehenói térã eñe’ẽmondóvo pumbyrýpe ha emoherakuãvo marandu nemba’etéva. Emombe’u tembiapo imarãkuaáva ko “Marandu iñañáva” rupive.

Learn More

Firefox Okta integration, setting up Agentless DSSO

  • Mbohavai’ỹre
  • 0 oguereko ko apañuãi
  • 2 Hecha
more options

I am currently using trying to set up DSSO with Okta utilizing Firefox. I have been able to successfully set up Edge/Chrome/IE on the domain without issue. I have set the following documentation as outlined on the Okta website for setting up Firefox to no avail. We have been troubleshooting with the Okta experts for the last three days with no forward progress, so I figured I would post the information available here:

Firefox version 107.0.1 32-bit TLS 1.2 NTLM v2 Windows Server 2019 (AD Server) the result that the Okt agentlessDssoPrecheck is returning:

{"result" : "FAIL_NTMLSSP"} - (that is not a misspelling; the return should be NTLM, but whatever)

I have the following options set in Firefox:

network.negotiate-auth.trusted-uris. org.kerberos.okta.com

network.negotiate-auth.delegation-uris org.kerberos.okta.com

network.negotiate-auth.allow-non-fqdn true

network.negotiate-auth.allow-proxies true

network.automatic-ntlm-auth.trusted-uris org.kerberos.okta.com

network.automatic-auth.allow-non-fqdn true

I attempted to pull the logs using set NSPR_LOG_MODULES=negotiateauth:5, but while Firefox does create the log, it doesn't write anything, including the failure to the log. (If I set the value to all:5, I get a ton of information, it appears useless for what I am trying to troubleshoot)

I attempted to pull fiddler and Wireshark information; I haven't set up the decoding on the Wireshark portion yet; however, I did get an extract of the fiddler information, but I didn't spot anything in there that seemed to indicate why the failure was occurring.

I have one suspicion; the following option in both Edge and Chrome has been set: DisableAuthNegotiateCnameLookup = enable - I don't see an option like that in Firefox or something similar to be able to adjust that value.

I am currently using trying to set up DSSO with Okta utilizing Firefox. I have been able to successfully set up Edge/Chrome/IE on the domain without issue. I have set the following documentation as outlined on the Okta website for setting up Firefox to no avail. We have been troubleshooting with the Okta experts for the last three days with no forward progress, so I figured I would post the information available here: Firefox version 107.0.1 32-bit TLS 1.2 NTLM v2 Windows Server 2019 (AD Server) the result that the Okt agentlessDssoPrecheck is returning: {"result" : "FAIL_NTMLSSP"} - (that is not a misspelling; the return should be NTLM, but whatever) I have the following options set in Firefox: network.negotiate-auth.trusted-uris. org.kerberos.okta.com network.negotiate-auth.delegation-uris org.kerberos.okta.com network.negotiate-auth.allow-non-fqdn true network.negotiate-auth.allow-proxies true network.automatic-ntlm-auth.trusted-uris org.kerberos.okta.com network.automatic-auth.allow-non-fqdn true I attempted to pull the logs using set NSPR_LOG_MODULES=negotiateauth:5, but while Firefox does create the log, it doesn't write anything, including the failure to the log. (If I set the value to all:5, I get a ton of information, it appears useless for what I am trying to troubleshoot) I attempted to pull fiddler and Wireshark information; I haven't set up the decoding on the Wireshark portion yet; however, I did get an extract of the fiddler information, but I didn't spot anything in there that seemed to indicate why the failure was occurring. I have one suspicion; the following option in both Edge and Chrome has been set: DisableAuthNegotiateCnameLookup = enable - I don't see an option like that in Firefox or something similar to be able to adjust that value.

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.